Risk governance as a line of defense: Systematic review of hotspots for future research

Abstract To forestall future financial crises, risk governance has been embraced as a line of defense. Therefore, this paper seeks to synthesize the risk governance literature, identifying gaps, and suggesting direction for future research, through a systematic literature review (SLR). Analyzing 151 papers from the Scopus and Web of Science databases, this paper finds a steady increase in academic work on risk governance. Using the theory, context, characteristics, and methodology (TCCM) framework, the study emphasizes the importance of chief risk officers, geographical context coverage, and effectiveness and regulation of risk governance. Methodologically, endogeneity issues are a major concern for researchers, agency theory (AT) being the most popular theory used. Finally, moderating and mediating variables that affect risk governance are identified as important but under-explored. While providing practitioners and policymakers with a framework, empirical testing is encouraged. The study contributes to SDG Goal 8, Target 10 of strengthening financial institutions and promoting a resilient financial system.


PUBLIC INTEREST STATEMENT
Risk governance has been sanctioned as a line of defense to safeguard against cyclical global financial crisis or bank run. This research employs a systematic review to show the structure of knowledge on risk governance, trends and major themes. Relevant articles extracted from SCOPUS and web of science spanning 1960-2021 were evaluated. The findings show that the chief risk officer role, and risk governance's moderating and mediating relationship are under-explored. To guide policymaking, empirical testing, and future studies, a conceptual framework and direction for future research are provided.

Introduction
Risk Governance is a key pillar of Sustainable Development Goal (SDG) 8 target 10 of strengthening financial institutions' capacity. To forestall future global financial crises, financial system regulators have sanctioned a three-tier risk governance line of defense. Management control serves as the first line of defense followed by a second line anchored on compliance oversight and risk control, whereas independent assurances oversight provided by the board and audit is the third and last line of defense (IFC, 2012;IIA, 2013;Lim et al., 2017). Stein and Wiedemann (2016) suggest that risk governance should be approached as a dynamic capability that enables businesses to adapt their policies to changing competitive environments and improve the alignment between a firm's strategy, structure, processes, and environment in relation to risk. Erin and Aribaba (2021) note that risk governance allows firms to be actively involved in the risk process, risk implementation, risk reporting, and disclosure. Evidence suggests that banks with a Chief Risk Officer (CRO) and an experienced risk committee were less risky during the 2008 financial crisis (Srivastav & Hagendorff, 2016). Similarly, the absence of an independent CRO and/or risk committee in most banks during the crisis has emphasized the need for risk governance in banks (Himaj, 2014). A board's capacity to provide effective risk supervision is also dependent on accurate risk assessment and timely disclosure by the risk committee (Srivastav & Hagendorff, 2016). Hence, the most advocated policy response, particularly in the aftermath of the 2008 global financial crisis, is to strengthen risk governance (Himaj, 2014).
Risk governance has been widely studied, including literature reviews (Bufarwa et al., 2020;Elamer et al., 2018;Lu et al., 2022;Nguyen et al., 2020;W. N. Abdullah & Said, 2019). It has been analyzed in corporate governance (Himaj, 2014;Nguyen et al., 2020;Srivastav & Hagendorff, 2016), risk disclosure (Elamer et al., 2021;Ibrahim et al., 2022), and board committee literature (Alhossini et al., 2021;Kolev et al., 2019;Sassen et al., 2018), with one study embracing risk meta-analysis . The review of all board subcommittees dominates board committee reviews, with Alhossini et al. (2021) and Kolev et al. (2019) addressing audit committee, compensation committee, nomination committee and other committees, whereas Sassen et al. (2018) carried out meta-analysis on board committee overlap. As these studies focus on all board sub-committees, the risk committee does not receive adequate attention. This is considered a specialist committee (Alhossini et al., 2021) and according to Kolev et al. (2019) the board's ability to tackle complex issues is enhanced by its use of the risk committee. Although studies addressing single board committees, such as technology committee (Harrast & Swaney, 2019) and audit committee (Alhossini et al., 2021) are known, studies focusing solely on board risk committee are rare.
From the above, as the risk committee literature is normally embedded within risk governance, this paper bridges this research gap by mapping/disclosing the structure of knowledge on risk governance and offers a framework to explain the risk governance dimensions, relationships and outcomes, regarding the risk committee specifically. The following specific research questions guide this systematic literature review (SLR):

RQ1:
What is the trend in risk governance publications? RQ2: What are the methodological and theoretical choices of risk governance scholars?

RQ3:
In what contexts has risk governance been studied? RQ4: Which risk governance perspectives merit further exploration?
In order to accomplish these goals, and to advance a comprehensive overview of the risk governance-risk committee research field, an SLR was carried out using both the Web of Science (WoS) and SCOPUS databases. After screening 229,519 articles, our seven-step screening protocol yielded 151 acceptable papers for the study. Applying the theory, context, characteristics, and methodology (TCCM) framework, to organize the findings (Paul & Rosado-Serrano, 2019;Paul et al., 2023), our review found: a steady increase in academic work on risk governance; agency theory (AT) as the most popular theory in discussions of risk governance; that regression analysis was employed in over 85% of the studies; that while the economies of the United States, Malaysia, Australia, and Nigeria have attracted most attention, studies that compare and contrast multiple countries are rare and even fewer studies take a truly global perspective; that research spanning multiple sectors, not just in the banking sector, are encouraged; that scholars should explore mixed methods as opposed to over-reliance on annual reports for risk governance studies. Moreover, we identify moderating and mediating variables that affect risk governance, which are important but under-explored. Finally, delving deeply into risk governance dimensions, our review identifies several under-explored areas within each dimension, suggesting future strands that could advance knowledge of risk governance.
This study makes several contributions to the literature on risk governance. Firstly, it provides a comprehensive overview of the research in this field and proposes a framework for understanding the relationship between risk governance dimensions and financial outcomes, which can stimulate further discussion and research. Secondly, we examine risk governance mechanisms that go beyond financial institutions, which are required by regulators to maintain a risk committee, to other sectors that choose to maintain a risk committee voluntarily. Thirdly, we address the gap in the literature by sourcing data from both the Web of Science and Scopus databases, rather than relying on a single database as previous reviews have done Karyani et al., 2021;Kolev et al., 2019;Pandey et al., 2023). Fourthly, our review adds to the corporate governance literature by highlighting the significance of risk committees as specialized board subcommittees (Kolev et al., 2019). Finally, our study contributes to achieving United Nations Sustainable Development Goal 8, target 10, which aims to strengthen financial institutions' capacity and promote a resilient financial system. The rest of the study is organized as follows. After this introduction, the methodology is described in section 1, followed by presentation of the results in section 2. Section 3 presents the discussion. Finally, section 4 concludes the study, indicating a direction for future research and conceptual framework.

Method
We used an SLR method to achieve our research objectives. The SLR is a valuable approach because it uses a transparent and reproducible methodology to source and synthesize knowledge . It also provides a comprehensive view of the existing literature. The SLR technique was used because it aids in mitigating bias and increases the likelihood of reproducibility. Our SLR follows the PSALSAR(Protocol, Search, Appraisal, Synthesis, Analysis and Report) integrated approach (Mengist et al., 2020;Paul et al., 2023;Yeboah, 2023). The PSALSAR six-step approach to SLR involves Protocol (specifying the research scope), Search (establishing the search string and database(s)), Appraisal (predefining inclusion and exclusion, and quality assessment criteria), Synthesis (exploring, extracting and categorizing the data), Analysis (summarizing the result and conclusion), and Reporting (communicating the methodology and result). The PSALSAR methodological approach ensures exhaustiveness, systematization, methodological accuracy and replicability (Mengist et al., 2020). Table 1 and Figure 1 summarize our PSALSAR protocols. We followed this step-by-step approach to synthesize the risk governance research field, in line with the recommendations of previous studies (Aebi et al., 2012;Karyani et al., 2020).

Search strategy
In order to find studies that were pertinent, we selected the search strings. As stated by Rowley and Slack (2004), search strings have to be precise. In order to finalize our keyword search, we did some preliminary study to familiarize ourselves with the prevailing literature on risk governance issues. Our search terms were broadened enabling us to capture literature with a variety of taxonomies. After trying different combinations of search terms, we settled the search keywords, as shown in Table 1.

Search Protocol Narrations
Keywords "Risk Governance" OR "Risk committee" OR "Risk management committee" OR "chief risk officer" OR "Board risk oversight" OR "CRO" OR "Enterprise risk management" OR "Board risk committee" OR "Risk governance structure" OR "Voluntary risk management committee" Step 1: Keywords WOS (n=91,190) N=59,882 Step 2: English Articles Step 3: Subject Area Step 5: Full text screening Step 6: Deleted duplicates on both databases Step 7

Data sources
We applied our keywords on the Web of Science (WoS) and SCOPUS databases on 31 December 2021. The use of both WoS and SCOPUS for SLR has been advocated as these are the largest databases that index the most extensive peer-reviewed scientific research across multiple disciplines and subjects .

Inclusion and exclusion criteria
Inclusion, exclusion and quality assessment criteria, following prior research, helped us to focus on the most relevant studies for our research objectives (Alhossini et al., 2021;Khan et al., 2022;Yeboah, 2023), as described in Table 2.
We also followed the screening and eligibility protocols adopted by previous SLR studies Kafidipe et al., 2021;Mengist et al., 2020). After following the SLR protocols recommended by previous studies and the steps outlined in Table 1 and Figure 1, we identified 151 articles suitable for the study. Finally, we used content analysis to identify trends, hotspots, gaps, and a future research agenda in the field of risk governance. All co-authors conducted three rounds of coding independently, and the final coding results were reviewed by all to reach consensus on the themes. Our multi-stage coding and results validation approach has been widely used in previous SLR studies .
The 151 articles were scrutinized following an interpretative synthesis, as followed by Jones et al. (2011) and Moreira et al. (2023). The main themes covered were inductively derived as a result of the main arguments, theories, concepts, contexts, characteristics, ideas and methods covered in the 151 manuscripts. A content and thematic analysis was carried out to capture the explanatory

Exclusion Criteria
Exclusion criteria (1) Conceptual articles, editorials, book chapters, conference papers, and commentaries were not considered.
Exclusion criteria (2) Papers that examine the board of directors in general without investigating risk committees were excluded.
Exclusion criteria (3) Papers published in journals with a lower impact factor or in journals without an impact factor were excluded. core perspective and the main methods used in order to address the TCCM approach referred to above.

Defining risk governance
Risk Governance has been defined by industry players (BCBS, 2015;FSB, 2013;IFC, 2012;IRGC, 2008;SRA, 2018) and scholars (Ames et al., 2018;Jankensgård, 2019;Lundqvist, 2015;Renn & Katherine, 2008). Most industry players largely define risk governance as identification, assessment, management and communication of risk (IFC, 2012;IRGC, 2008;SRA, 2018). Financial service regulators emphasize the role of the board, CRO and management assurances in the definition of risk governance (BCBS, 2015;FSB, 2013). Definitions offered in the scientific field are also aligned with the industry definition. Early scholars' risk governance definitions focused on risk identification and management (Lundqvist, 2015;Renn & Katherine, 2008;Stein & Wiedemann, 2016). Recent studies define risk governance and assign risk governance responsibility to the board, risk committee, CRO and management assurances (Ames et al., 2018;Jankensgård, 2019). Notably, Jankensgård's (2019) definition highlights the importance of linking the firm risk management decision to the firm objectives. In this study, we define risk governance as risk defensive mechanism, stakeholder risk ownership and leadership that enable firms to identify, evaluate, control and communicate risk for shareholder maximization. Additionally, for this research, risk governance encompasses risk governance mechanisms including risk committee, enterprise risk management, board risk oversight and the role of CRO fashioned to contain risk. Table 3 includes a variety of risk governance definitions from both practical and academic sources. Figure 2 shows the trend in the production of scientific articles in the field of risk governance research over the years, in response to research question 1 (RQ1). As can be seen, there has been a steady increase in the number of academic studies on risk governance published annually since 2005. Early studies in this field tended to focus on defining concepts, which can be attributed to the aftermath of the 2008 financial crisis. However, the field gained more proponents starting in 2015 with a surge in risk governance research since then, with a peak of 37 articles in 2021. On average, 11 articles were published annually between 2005 and 2021. The list of 151 research studies, organized chronologically and coded by year of publication, can be found in Table A.1 in the appendix. The data in Figure 2 and the direction of future research suggest that this field will continue to grow.

Theoretical choices
Several theories have been employed to support the theoretical foundation for empirical examination of risk governance. Scholars aligned their studies using theories from disciplines including psychology, sociology, organizational behavior, finance and management. Agency theory (AT) was the most widely used theory, with 79 articles using it in explaining risk governance. According to AT, risk is prevalent due to the rent-seeking and opportunistic behavior of managers.  identified three areas in which AT is relevant to risk governance research: the operationalization of risk management by the board to control risk appetite; identification, monitoring, and management of risk by an empowered risk committee; and active management and reporting of risk by an empowered Chief Risk Officer directly to the board.
Resource Dependence Theory (RDT), which was used in 22 studies, has proven to be beneficial in risk governance research. Through the lens of RDT, firms are responsible for facilitating access to critical resources, reducing external shocks, and promoting sustainability Wu et al., 2016). Signaling theory (ST) is another theory that supports 17 risk governance studies. ST posits that effective risk management signals to the market that a firm has good corporate governance practices (M. B. U. Bhuiyan et al., 2020; Sekome & Lemma, 2014; Yahaya et al., 2020). Our analysis also shows that stakeholder theory and legitimacy theory each had 13 observations in the risk governance literature. While stakeholder theory focuses on prioritizing the collective interests of stakeholders in risk management (Chairani & Siregar, 2021;Ghazieh & Chebana, 2021), legitimacy theory encourages firms to engage in desirable activities to protect long-term sustainability (Chairani & Siregar, 2021;Erin, Adebola, et al., 2020).
Stewardship theory and resource-based view theory were mentioned eight times each, while Institutional Theory was referenced by 11 publications. Contingency theory was examined four times. Additionally, Audit Pricing Theory, Proprietary Cost Theory, and Upper Echelons Theory were  Renn & Katherine D. Walker (2008, p. 9) ..involves the "translation" of the substance and core principles of governance to the context of risk and risk-related decision-making Lundqvist (2015, p. 442) ..the marriage of corporate governance and risk management, and it is the identifying component of an enterprise risk management system Nahar, Jubb, et al. (2016, p. 250) ..relates to the rules, processes and procedures that help to identify the risk(s) and take corrective actions accordingly. Stein and Wiedemann (2016, p. 828) ..a regulative system at a higher-order level, designing risk regulation models for risk management, determining model risks, performing research and development in risk issues.
Ames et al. (2018, p. 131) ..risk management-related corporate governance mechanisms, such as chief risk officers and board risk committees.
Jankensgård (2019, p. 574) .. a set of mechanisms by which the Board of Directors ensures that managers, at all levels of a decentralized organization, undertake the risk management decision that are in the best interests of the firm. IRGC (2008, p. 3) ..identification, framing, assessment, management and communication of risks in a broad context.

IFC (2012, p. 7)
..the principles of good governance, applied to the identification, assessment, management and communication of risk. It incorporates the principles of accountability, participation, and transparency in establishing policies and structures to make and implement risk-related decisions.
FSB (2013, p. 6) ..the role and responsibilities of the board, the firmwide CRO and risk management function, and the independent assessment of the risk governance framework BCBS (2015, p. 2) ..overall framework through which the board and management establish and make decisions about the bank's strategy and risk approach; articulate and monitor adherence to risk appetite and risk limits visà-vis the bank's strategy; and identify, measure, manage and control risks SRA (2018, p. 8) ..The application of governance principles to the identification, assessment, management and communication of risk each referenced three times. Finally, Table 4 contains the rest of the theories in risk governance research, namely portfolio theory, decision usefulness theory, deep pocket theory, deposit money bank loan theory, helping hand theory and busyness theory. Few papers applied co-evolution theory, litigation theory, managerial hegemony theory, neo-institutional theory, option theory, grabbing hand theory, social mirror theory and value maximization theory.
Our findings also show that researchers merely refer to theories without delving into them in depth or drawing on them when formulating hypotheses (see Battaglia & Gallo, 2015;Galletta et al., 2021;Larasati et al., 2019;Mardessi & Ben Arab, 2018). Other studies did not even indicate the theoretical framework used (e.g., Chavarín, 2020;Hoque et al., 2013;Magee, Schilling, et al., 2019;Raouf & Ahmed, 2020). These findings provide an answer to RQ2 on the theoretical choices of risk governance scholars. Table 5 shows that the majority (85%) of studies, in response to research question 2 (RQ2), utilized a quantitative approach, with regression analysis being the most common method employed. OLS regression was the most popular, with 40 studies, followed by panel regression, which was used in 19 studies. GMM and logistic regression were utilized in 15 and 12 studies, respectively. 11 studies conducted 2SLS regression analysis, while multivariate regression was applied in 10 studies. Probit regression was used in 8 studies, but three recent studies have explored hierarchical regressions (Erin & Aribaba, 2021;Erin, Adebola, et al., 2020;Farhan et al., 2020). In a novel study, Nahar and Jahan (2021) justified the use of 3SLS regressions when they tested the moderating effect of a risk committee in 160 banks in 45 countries.

Methodological choices
Seven studies were found to be based on the propensity score model, while five studies applied data envelopment analysis (DEA). Factor analysis and Structural Equation Modeling (SEM) were used independently in two studies. Furthermore, few studies perform mean deferential analysis including ANOVA; Mann-Whitney U-test; T-test and Chi-square. Finally, Sassen et al. (2018) survey risk governance intellectual structure with meta-analysis.

Geographical coverage
To answer RQ3, Table 6 shows that single country studies dominate the research field, with 80% of the papers (120 studies) being single country studies. The financial systems of the United States, Malaysia, Australia, and Nigeria have received most attention, although risk governance is a global issue. The United States was the most studied country with 24 studies, while Brazil and Mexico were studied for the Latin America and Caribbean continent with only two studies each. In Europe, Italy, Spain, and the United Kingdom had two studies each, while Romania and Turkey had one  study each. Asia was the most studied continent, led by Malaysia (20 studies), followed by Australia (15 studies) and Indonesia (8 studies). Other Asian countries studied include India, Bangladesh, China, Palestine, Saudi Arabia, Iran, Japan, Kuwait, Qatar, and Taiwan. In Africa, Nigeria led with 15 studies, followed by Tunisia, Ghana, Ethiopia, and South Africa.   Only a few studies have a global outlook (Hossain & Farooque, 2019;Ittner & Oyon, 2020;Magee, Schilling, et al., 2019;Mollah et al., 2019;Nahar & Jahan, 2021;. Cross-country studies are sparse. Both Asia and Europe documented limited cross-country studies. Whereas 16 cross-country studies were reported in Asia, Europe exhibited eight cross-country studies. A Sub-Saharan study conducted by Yahaya et al. (2020) is the only cross country study in Africa. Latin America and the Caribbean are the least studied region, with no cross-country studies. Table 6 shows the distribution of articles across geographical regions.

Industry focus of risk governance studies
Also related with RQ3, risk governance studies span industries, with a wide range of industries being studied besides financial institutions. Universal banks are the most studied, with 46 reported studies, as they are required by regulation to maintain a board-level risk committee. A broad range of financial institutions were also studied, with 17 reported studies. In addition, specialized financial services, including insurance, dual banking, Islamic banking, and private banking, have attracted the attention of scholars.
It is noteworthy that a significant 34 studies have been conducted using multi-industry samples drawn from both financial and non-financial industries. Non-financial firms were the focus of 28 studies, while Arsad et al. (2021) conducted a study among Islamic non-financial firms. The manufacturing industry was also included, with studies of manufacturing firms and fast-moving consumer-goods (FMCG) firms . The frequency of studies by industry is summarized in Table 7.

Risk governance dimension
Finally, to complete the answer to RQ3, we document research on risk governance dimensions. We observe in Tables 6 and 7 that 106 studies, representing 70.2% of the research in the field, study a single dimension of risk governance, while the remaining 45 studies, accounting for 29.8%, consider multi-dimensional risk governance. However, concerns have been raised about the use of a unitary measurement of risk governance. These concerns have led scholars to construct a risk governance index (RGI) (Aljughaiman & Salama, 2019;Zhang, Li, & Ortiz, 2021).
RGI has been developed based on risk governance guidelines issued by the Basel Committee for Banking Supervision (BCBS) in 2015 and the International Financial Council (IFC) in 2012, and its development can be traced back to the work of Ellul and Yerramilli (2013). There have been a number of different versions of the RGI constructed, including ones with five indicators (Prakash et al., 2021), 17 items , 19 elements (Raouf & Ahmed, 2021), and 22 items (Fakhfakh & Jarboui, 2020). The RGI has also been applied to different types of financial institutions, including insurance firms and banks in the dual banking system.
The effects of the RGI on financial institutions have been mixed. Some research has found that financial institutions with a stronger RGI are less vulnerable to the sovereign debt crisis (Dupire et al., 2021) and have a lower predicted default frequency for insurance firms . The RGI has also been found to contribute to enhancing financial stability in a dual banking setting (Raouf & Ahmed, 2021). In terms of risk-taking behavior, a higher RGI has been found to lower tail risk and increase return on assets (Ellul & Yerramilli, 2013), and to influence the risktaking of banks (Zhang, Li, & Ortiz, 2021). However, other research has found a negative association between the RGI and risk-taking (Aljughaiman & Salama, 2019), and no effect of the RGI on the profitability of Asian banks .
To delineate and encompass diverse aspects of risk governance, research in the field reports two or more risk governance dimensions. As shown in Tables 6 and 7, two dimensions dominate multidimension risk governance studies.  Our review shows that 21 studies focused on the role of RC and CRO. There is mixed evidence on the impact of the risk committee and CRO on risk and performance outcomes. Some studies have found that the presence of a risk committee or CRO can influence risk-taking (Aljughaiman & Salama, 2019;, while others have found that they tend to make banks less risky . The presence of powerful owners has also been found to limit the presence of both the risk committee and CRO (Dupire & Slagmulder, 2019). In terms of the relationship between the risk committee, CRO, and Enterprise Risk Management (ERM), some studies have found that the risk committee can significantly impact ERM disclosures  and promote better ERM practices and financial and market performance (Horvey & Ankamah, 2020). The presence of a CRO has also been found to be positively correlated with a higher degree of ERM implementation (Mardessi & Ben Arab, 2018) and ERM sophistication (Ittner & Oyon, 2020). However, other research has found that while ERM adoption is not necessarily associated with changes in firm performance, the presence of a CRO can actually reduce performance . In more comprehensive studies considering the interplay of the risk committee, CRO, and ERM, the risk committee and ERM have been found to have a positive and significant effect on reducing cybercrime, while all three factors have been found to significantly and positively impact firms' financial performance ).

Risk governance gender diversity
There is a debate in the literature about the value of gender diversity in risk governance. Some studies have suggested that having women on the risk committee sends a positive signal to external stakeholders (M. F. , but others have raised concerns that including women on the committee may be seen as tokenism rather than genuine diversity (M. F. . In support of this view, M.  found that the presence of women on the risk committee had a significantly negative effect on stock market value, suggesting that female members were treated as representations rather than fully utilized.
Despite these concerns, other research has highlighted the potential benefits of gender diversity in risk governance. M.  argued that the presence and participation of women on the risk committee can enhance productivity and efficiency. Aldhamari et al. (2020) found that women members of the risk committee devoted more time to risk management functions and performed better as monitors of risk.  found that having more women than men on the risk committee who have financial expertise was more effective in reducing financial distress. Aldhamari et al. (2020) also reported that higher representation of women on the risk committee was associated with stronger ERM and financial performance, and Aldhamari et al. (2020) found that the gender composition of the risk committee was positively and strongly linked to accounting performance. On the other hand, M.  were unable to find evidence that the presence of female members on the risk committee had a significant impact on audit fees, and among US-listed firms, the presence of female directors on the risk committee was found to be negatively and significantly related to financial constraints risk (M. . There has been relatively little research on the diversity of the CRO or the chair of the risk committee. Figure 3 presents a conceptual model that integrates all aspects of risk governance to provide a holistic understanding of the topic. This framework can be used to guide future research and improve understanding of risk governance. The model suggests that risk governance should be conceptualized as a multidimensional concept, comprising risk committee (Alhajri, 2017), ERM (Callahan & Soileau, 2017), the CRO (Amoozegar et al., 2017), and board level risk oversight (M. . The interaction of these broader dimensions helps to effectively cover risk. Board level risk oversight is a critical layer in strengthening risk governance. Our review also highlights the under-researched role of the CRO and the lack of exploration of mediation and moderation relationships in the field of risk governance.

Discussion and future research direction
Our review maps the intellectual structure of risk governance research to identify trends, hotspots, and gaps in the field (to answer RQ4). Previous research has examined various dimensions of risk governance, with a significant focus on risk committees and reliance on annual reports for empirical studies. The role of the CRO has received limited attention. There is also a lack of research on gender diversity in risk governance, particularly with regard to CRO gender, the gender of risk committee chairs, and the presence of female experts on risk committees. Our review also reveals that few studies have a global perspective and cross-country research is scarce. Additionally, only a few studies have explored the mediation and moderation relationships in risk governance. Based on our review, we employed the TCCM framework of Paul and Rosado-Serrano (2019) to suggest areas for future research to advance understanding of risk governance.

Theoretical (T) advancement
Risk Governance studies rely on various theories, thus highlighting the need for an expanded theoretical foundation. As shown in Table 4, Agency theory predominates over the other 25 theories. This finding is in line with that documented by Alhossini et al. (2021) for corporate board committees and by Lu et al. (2022) for the board of directors' attributes. Furthermore, it was noticed that theoretical application was rare, with few studies connecting their results to a preconceived theoretical framework. Researchers may improve understanding of risk governance by emphasizing theoretical contributions and how their findings apply to established theoretical frameworks. Hence, future studies should prioritize and explicitly connect a theoretical framework with their hypothesis and empirical results as demonstrated by a handful of studies . Our findings also show that the management and strategy fields are the origin of all the applied theories. As a result, existing Risk framework; risk ownership; risk map; risk appeƟte; risk culture; risk management culture; board sets the risk appeƟte; risk management pracƟces; board sets the risk framework; risk management policies and objecƟves; board receives a risk report; risk report frequency; risk oversight responsibility; quality of oversight; qualitaƟve and quanƟtaƟve risk assessment; risk assessment frequency; level of risk assessment (firm level vs business unit)

Moderators
Emission trading system Corporate governance Earnings management Risk management RC's characterisƟcs Control/Context AƩributes corporate governance variables: CEO tenure; CEO gender; CEO duality; board size; board meeƟngs; board diversity; female on board; board tenure; independent directors; foreign directors; directors age; directors' busyness; board of director involvement; overlapping directorship; board experience; board experƟse; board qualificaƟon; % of directors with finance expertise; poliƟcal connecƟon; corporate governance index; audit commiƩee characterisƟcs Firm CharacterisƟcs: firm age; firm size; cross-lisƟng; firm complexity; ownership type; industry classificaƟon; big 4 auditors; auditors opinion; capital structure; Ɵer 1 capital adequacy raƟo; roa; roe; market-to-book raƟo; leverage; financial slack; liquidity; income diversificaƟon; earnings opacity; growth opportuniƟes; hirschman -herfindahl index(HHI); R&D.  theories on risk governance need to be complemented by new, integrated, and multi-theoretical perspectives leading to richer insights and a holistic perspective. This is also supported in the findings of Nguyen et al. (2020). For example, cultural theories, which may affect RC behavior, are rarely used in this discipline. Schwartz's (1992) theory of values could be used to explain RC transparency culture, RC organizational culture, and risk culture (Gontarek & Belghitar, 2018;Zhang, Li, & Ortiz, 2021)

New context (C) coverage
It would be beneficial to conduct research on the following unexplored contexts:

Chief Risk Officer Traction
The role of the CRO in risk governance has received relatively little attention in the literature. However, some studies found that having a CRO can improve firms' financial health  and reduce the likelihood of shareholder class action litigation (Amoozegar et al., 2017). Other research has shown that banks with CROs who report directly to the board have higher stock returns (Aebi et al., 2012). Researchers have also examined the appointment, importance, and presence of CROs, as well as their level of reporting responsibility and their role in the board of directors or executive management team. In addition, the qualifications, experience, and expertise of CROs have been studied, as well as their compensation packages and their rank among the highest paid executives. Finally, researchers have looked at various characteristics of CROs, including their tenure, independence, gender, and nationality, as well as their centrality within the organization and any dual-hatting or cross-directorship roles they may have. The centrality of CROs is not well represented in the literature , which opens the door for new research streams. Financial service regulators have promoted CRO dual-hatting (BCBS, 2015;FSB, 2013), but only Dupire and Slagmulder (2019) and Raouf and Ahmed (2021) have attempted to examine this empirically. Therefore, more research on CRO dual-hatting is encouraged. There is also increasing interest in CRO centrality and CRO pay structure, particularly the prevalence of CROs among the five highest-paid executives (Ellul & Yerramilli, 2013;. In light of this, additional empirical evidence is needed to deepen our understanding of these issues .

Risk Governance Quadratic Relationship
There is considerable scope for future studies to examine causality relationships in risk governance, as most current studies only test associations . Moreover, our review shows that only 11 studies have examined the quadratic relationship between risk committee (RC), enterprise risk management (ERM) and chief risk officer (CRO). Further research should be directed towards understanding the consequences of the relationship between RC, ERM, and CRO.

Characteristics (C) for new relationship testing
Our review examined construct relationships, including units of analysis and explanatory factors. Future risk governance scholars can investigate these characteristics.

Risk Governance Overlapping
In most cases, risk committee members and chief risk officers (CROs) serve on multiple committees. Studies show that about 79.6% of risk committee (RC) members are overlapping directors , which has raised concerns about the busyness and effectiveness of RC members with overlapping committee membership . However, firms can also use overlapping directors to their advantage , as RC members can utilize skills and knowledge gained from other committee memberships to mitigate risks and improve firm performance Nahar et al., 2020). While there has been an increase in the number of overlapping directors in recent years, there have been relatively few empirical studies on the implications of this phenomenon, and the results of these studies are contested . Therefore, more research is needed to clarify these uncertainties in the literature. Future studies can conduct in-depth analyses to understand how RC overlapping influences corporate disclosures  and the monitoring effectiveness of RC members who are chairpersons of other committees .

Effectiveness and Regulation of Risk Governance
Risk governance studies have moved beyond their initial focus on satisfying regulatory requirements or voluntary establishment for better corporate governance practices. Abid et al. (2021) argue that risk governance effectiveness mitigates bank risk-taking, and the work of Malik et al. (2020) also supports the idea that ERM effectiveness significantly and positively affects firm performance. However, there is still a need for more studies on ERM effectiveness (M. S. Beasley et al., 2005;Mardessi & Ben Arab, 2018). Similarly, studies on the effectiveness of risk governance are scarce (Ghazieh & Chebana, 2021;. Researchers are encouraged to examine how well risk governance mechanisms mitigate information asymmetry (Nahar et al., 2020), as well as the quality and effectiveness of risk committees Galletta et al., 2021;Sekome & Lemma, 2014). Future studies should also consider the impact of risk governance expertise on risk governance effectiveness and the impact of risk governance effectiveness on firm performance Nahar et al., 2020). Additionally, exploring the extent/degree of risk governance effectiveness represents a fruitful area for future research Galletta et al., 2021;Ghazieh & Chebana, 2021). New insights are also needed to understand the cost-benefit analysis associated with implementing and maintaining risk committees Bailey et al., 2018;Callahan & Soileau, 2017; as well as evidence on risk governance before and after formation (Mohammadi & Mardini, 2016;Musallam, 2018). On the regulatory front, more studies should examine the level of risk governance compliance . To what extent do firms meet risk governance regulatory best practices (Dupire & Slagmulder, 2019;Jia & Bradbury, 2021)? Research addressing how regulation complexity affects risk governance are encouraged.

Methodological (M) improvement
The methodological rigor of risk governance research would be improved by future studies in the following direction:

Risk Governance Moderation and Mediation Relationship
There have been calls in the field of risk governance for more research on the moderating and mediating relationships between different variables (Hossain & Farooque, 2019;Musallam, 2020).
To date, only one study has examined the moderation-mediation relationship between audit certification, earnings management, and risk governance (Fakhfakh & Jarboui, 2020).
In terms of moderating relationships,  found that risk committee gender diversity helped to moderate the negative association between risk and the likelihood of experiencing financial distress. Tao and Hutchinson (2013) also found that the presence of a risk committee helped to moderate the negative relationship between risk and performance outcomes in Australian financial firms. Nahar and Jahan (2021) found that the composition of the risk committee acted as a moderating factor in the link between risk disclosure and the performance of banks, and Prabhawa and Nasih (2021) demonstrated that the risk committee moderated audit costs. However, Hossain and Farooque (2019) found no evidence of a moderating effect.
Concerning mediation, Musallam (2018) found that risk governance acted as a mediator in the relationship between audit committee meetings and corporate social responsibility (CSR) disclosure, but did not mediate the relationship between audit committee size and independence. Karyani and Dewo (2019) found that risk disclosure quality mediated the relationship between bank performance.
Only a few scholars have attempted to evaluate mediation-moderation relationships in risk governance, so more studies should focus on this aspect (Fakhfakh & Jarboui, 2020;Hossain & Farooque, 2019;Musallam, 2020). In particular, researchers can explore how risk governance mediates moral suasion (Dupire et al., 2021). Future studies can also increase our understanding of how the moderating effects of ownership type, CEO duality, firm size, board size, gender, independent directors, profitability, and firm age impact risk governance outcomes (Sassen et al., 2018).

Endogeneity Concerns
Studies of boards suffer from endogeneity because the variables of interest are typically endogenous. Because board and sub-committee membership selection is not random, endogenous associations between members' characteristics and outcomes (firm and board outcomes) are more likely (Kolev et al., 2019). Therefore, not accounting for risk committee formation selfselection bias raises endogeneity concerns. Only 5% of the review studies address endogeneity concerns Dupire & Slagmulder, 2019;Erin & Bamigboye, 2020;Hoque et al., 2013;Johnston & Soileau, 2020;. It is recommended that future study should utilize dynamic/simultaneous-equation models with instrumental variables, propensity score analysis, or Heckman two/three-step approaches to mitigate endogeneity issues.

Overreliance of Annual Report: Call for Mixed Method Studies
It is worth noting that the vast majority of research in this field has utilized annual report financial data. Subramaniam and McManus (2009) argue that annual reports contain limited information about firms' risk management structures, a limitation also recognized by Ghazieh and Chebana (2021). Therefore, there is a need for mixed-method studies . This result is in line with that documented by Nguyen et al. (2020), Alhossini et al. (2021) and Lu et al. (2022) on methodological limitations. However, data from other forms of firm communication, such as websites, prospectuses, interim reports, and press releases, have not been adequately explored (Nahar & Jahan, 2021;Shahar et al., 2020), providing an opportunity for future research. In particular, studies using risk management disclosures on social media are desirable . Additionally, research using primary data sources, such as in-depth interviews with risk committee members and risk officers (Tao & Hutchinson, 2013), should be prioritized. The implementation of risk governance directives also offers the chance to conduct interviews with financial regulators to determine whether organizations are following best practices (Jia & Bradbury, 2021). Inadequate or non-disclosure of risk governance in annual reports does not necessarily mean that risk governance is absent, making it valuable to conduct case studies to examine the actual risk management techniques employed by firms beyond what is disclosed in annual reports (M. F. .

Conclusions and implications
The main goal of this study is to map out the knowledge structure of risk governance and provide a framework to explain the dimensions, relationships, and outcomes of risk governance. We conducted an SLR using both the Web of Science (WoS) and SCOPUS databases. Our seven-step article screening protocol, shown in Figure 1, resulted in 151 suitable articles for the study after screening 229,519 articles. Our review shows a significant increase in risk governance studies. Agency theory was the dominant theoretical framework. Most risk governance studies were empirical and quantitative, and the majority (85%) used data from annual reports. A large number (80%) of the studies were single-country studies, with a focus on the financial systems of the United States, Malaysia, Australia, and Nigeria. CRO, as a single dimension of risk governance, was the least studied. While risk governance is a multi-dimensional phenomenon, 70.2% of the research in the field studied a single dimension. Additionally, few studies test moderation and mediation relationships in risk governance. While we used WoS and SCOPUS, the largest databases that index the most comprehensive peer-reviewed scientific research across multiple disciplines and subjects, we may have missed additional studies that were outside the scope of these databases. However, our SLR protocol was robust to ensure accurate coverage of the study area. One important contribution of our research is that it maps out the intellectual structure of risk governance in order to identify gaps in the existing body of literature and open up new research opportunities. We also developed a risk governance conceptual framework.
Our paper contributes to the intellectual structure of risk governance in the following ways. First, we provide an up-to-date and exhaustive SLR that covers the existing research on risk governance. Secondly, we bridge the research gap by using data from both WoS and SCOPUS  in our review, rather than just one database (Kolev et al., 2019). Additionally, we analyze risk governance mechanisms that extend beyond financial institutions, whose regulators oblige them to have a risk committee, to other sectors that voluntarily maintain a risk committee. This study supports financial regulators' call for prioritizing three-tier risk governance to foster a resilient financial system.
Our study contributes to a deeper understanding of risk governance and to the corporate governance literature by highlighting the importance of the risk committee as a specialized board subcommittee (Kolev et al., 2019). Our analysis provides evidence to support agency theory as the dominant theory to explain risk governance. This is the first study to delve deeply into risk governance dimensions, identify several under-explored areas within each dimension, and suggest future strands that could advance knowledge of risk governance. We identify important but underexplored moderating and mediating variables that affect risk governance.
Our review provides insights for researchers and scholars regarding the research gaps and emerging themes in risk governance. We argue that scholars should explore mixed methods beyond the overreliance on annual reports for risk governance studies. Additionally, several future research avenues have been established in this field and should encourage more research to advance risk governance studies from a multi-disciplinary perspective. Managers and financial system regulators should prioritize three-tier risk governance by efficiently maintaining risk committees at both the board and executive management level. Evidence shows that CROs do not always report to the board, so risk committees and CROs should be adequately empowered. Firm boards should maintain risk committees as specialized committees and appoint highly qualified, independent directors to serve on them, rather than just board members who also serve on other sub-committees, in order to promote risk governance effectiveness. Investors and funding providers could tie their funding to high levels of disclosure and strict compliance with risk governance. This study suggests that governments, society, and stakeholders in the global financial architecture should adopt a stricter precautionary stance to prevent future financial crises due to excessive risk-taking behavior. Additionally, our study contributes to achieving the United Nations' Sustainable Development Goal 8 target 10 of strengthening financial institutions' capacity while promoting a resilient financial system. This study has the following limitations. It focuses on research indexed in SCOPUS and WoS, the richest and most reliable sources. Therefore, studies from other journals not indexed in these databases may have been ignored. Additionally, conference papers, book chapters, and non-English articles were also excluded based on our methodology protocol outlined in Figure 1. Future research may expand the databases and publication types. Our study applied inclusion and exclusion criteria such as keyword combinations and restrictions to specific research categories/ subject areas. For example, risk governance in the context of projects, engineering, mining, and natural disasters was excluded. Future research may consider risk governance in these contexts and consider using different or extended keywords for other perspectives.